It is amazing the number of people who install weatherbug on their machines - I suppose it doesn't help that major news programs promote it when doing their weather slot (every 3 minutes). In the past weatherbug have had some pretty dodgy adware practises (just search google)- I'm not sure if they still do but thats a good reason not to use it again.
However, several years ago I came across WeatherWatcher as a freeware alternative with no popups, spam of email addresses or anything else dodgy. As I now have a "business need" to replace weatherbug, this will do the trick nicely. As the settings are saved in the registry under HKCU, I think I can even set it up as I like on my machine, and then export the registry key and import it into other local users who will have the same zipcode (or changing the zipcode should be one entry in the exported reg file)
Recently in Spyware Category
Just downloaded the new Windows Defender - Microsoft's AntiSpyware software which was released a couple of days ago. It does make you wonder why the definitions are 22 days old if the product was only released a couple of days ago though.
The interface is pretty spartan but clean - I think it is meant to be the Vista look but to me it looks more along the tellytubby path that XP started out with.
One thing I did like, but that wasn't made clear in the download pages is that you don't need to uninstall the previous AntiSpyware software first - Windows Defender will remove it for you.
CastleCops has a good wiki on removing horrible spyware. Will be useful next time a customer gets infected.
I often go to a clients pc that "has anti-spyware installed" only to find they've clicked and installed on a popup that appeared whilst they were browsing. This list of rogue antispyware software is a good quick reference as to which spyware solutions are valid. Personally I only recommend search and destroy, adaware, microsoft's AntiSpyware or Counterspy (although i've not actually used the latter one I know it has been getting good reviews and it is made by a reputable company)
Windows Antispyware build 1.0.701 is available to download or you can wait for the existing software to realise that a new version is out and update itself - it currently doesn't detect a new version is available.
Myway was bundled on the new laptop and I didn't mind it too much until it started to hijack my search results in internet explorer. With a reg file merged into the computer, I am used to typing things like "gg fred" into the address toolbar in the bottom right of my screen to get the fred term loaded into google results. By typing in abso fred, it would return any mention of fred on this website. Not so with myway installed though - it would hijack these results to its own website. Even after uninstalling the software it still continued to do so until I rebooted the laptop (there was no request to reboot when the software was removed). It also leaves behind crud in the registry - I still had a
"HKEY_CURRENT_CONFIG\Software\My Way SA" entry.
Looks like I'm not the only one to get a bit fed up with it. Get your act together Dell!
It looks like the Google Desktop software has been updated recently as now the index status does not show how much of the index has been completed (or it has finally indexed the computer). The status on this computer is normally stuck at about 20% complete but this information no longer appears on the status page. However the cpu usage of the desktop search does seem to be often pegged around the 50% mark so something is still not quite right there.
The Antispyware software also seems to have been updated as the nightly scan that ran last night picked up Ultravnc as potential spyware even though it has been installed on the pc for about 2 months and I had previously flagged it as ignore.
Surprisingly I've not seen that much blogging about the SpywareInfo » cws-id-theft website where trojan software downloaded by CoolWebSearch can result in all sorts of personal information being uploaded to a file ranging from credit card/bank numbers/social security numbers etc.
Now the process of ensuring a pc is spyware free is not just restricted to running spybot or your application of your choice. It is getting more and more likely that you would have to inform the various companies that hold personal information that your data may have been compromised. Just think for a second how many companies this could include if you use your pc to do banking/pay bills/apply for a job........
Its looking more and more likely that the only way to ensure you have a safe pc is to reformat it and start again.
MS Antispyware decided that logmein was spyware last night due to the possibility of it being used for remote control from afar. I've had this software installed on the computer for several months and this is the first time that it has been detected. Naturally I've flagged it as "ignore always"
Bleeping computer startups (I'm not sure if it is the computer that is bleeping or someone swearing at the computer) has a list of known startup processes,what they do and whether they can be disabled or not. I've got rid of quite a few entries from the new machine and it was useful for some of the hp related utilities that I hadn't come across. I like this site as it actually gives you useful information whereas something like liutilities.com seems to be vague and prompts you to purchase their utility to get more information.
We purchased a new computer from shudder Compusa this morning. We got a very decently spec'ed HP Pavillion A1030N desktop with 512MB memory, 200GB hard disk, 3GHz Intel processor with HT (appears as 2 processors) technology,DVD writer (with lightscribe so I can pay a fortune and have my dvd labels laser engraved - ooooohhhh) and a dvdrom. We also purchased a Norwood Micro 17" TFT screen to go with it, some speakers, blank dvd's and a small UPS to power it all. I also got a USB2 wireless adapter so the pc can be set up in the basement (or anywhere we feel like) without being confined to the computer room. This is made by Hawking Technologies (who I've never heard of) so it was a bit of a risk buying it, but at $20 after rebates it was cheap enough and I could always return it - but it seems to be working fine.
The whole lot is way cheaper than buying it in the UK and the price gets better as the rebate checks come in (3 for this lot!)
After switching the machine on, going through the boot up procedure it was time to install the wireless adapter which went through without a hitch and connected to the wireless Lan a lot easier than other things I've connected. Then it was off to Windows Updates......
18 items and 19MB to download (and it then detects I have some GDI vulnerable programs). The machine also came bundled with some new antispyware software called SpySubtract which I must admit I'd never heard of. It had a 60 day trial so thats enough to let me see what its like.
The other bundled software includes Norton's Internet protection suite (which will be uninstalled asap), Microsoft Works (useful for Word only), Microsoft Money (will be very handy for keeping track of our balances) and interestingly some WildTangent games. Now supposedly these games are not spyware, according to WildTangent's support site but other spyware detection programs detect them as spyware as they report back pc specs and each user has a unique id. It will be interesting to see what spysubtract thinks of it. Personally I will remove it if SpySubtract doesn't - I want to keep this machine as clean as possible.
Down points
- Spysubtract keeps bugging me that it needs a new download to update it, even though the download program then says that the patch has already been applied
- Adobe Reader 6 is installed not 7
- WildTangent
- HD has a recovery partition on it, but no instructions on how to use it (that I can see so far)
More updates as I carry on the installation of the machine.
I installed the MS antispyware on the parents in law (PIL) computer and although it didn't find anything it does have some funny things going on.
If I log on as me I get no alerts from the application. However if I log off and then log on as the PIL I get 3 alerts pop up as below. However these only occur if I've logged on before they have. I can't work out what application keeps changing these settings as there is nothing obvious in the startup list. Any ideas?
Interestingly, the url redirects to altavista.com
Internet Explorer URLs alertInternet Explorer URL for Search Bar has been allowed to be changed from http://go.compaq.com/1Q00CDT/0409/bl8.asp to http://www.google.com/ie. This URL is in the user's allowed Internet Explorer URL list
Internet Explorer Security Settings alert
Occured on: 4/27/2005 at 10:12:49 AM
An Internet Explorer security setting & Warn about invalid site certificates and has been granted permission to be changed. This setting is in the user's allowed security settings.
Internet Explorer Explorer Bars alert
Occured on: 4/27/2005 at 10:12:48 AM
Internet Explorer Bar Microsoft Shell Browser UI Library c:\windows\system32\browseui.dll has been granted permission to be installed. This program is in the user's allowed Explorer Bar list.
About Internet Explorer Explorer Bars: An Explorer bar (band) is a panel like the Favorites, History or Search panels that you see in Internet Explorer or Windows Explorer.
TR/dldr.delf.CB.1*2
BDS/Haxdoor.BH*3
TR/dldr.small.ait
TR/Drop.Funweb.A
Drop.Small.NK
BDS/Haxdoor.BH.1*2
PMS.WildTangent.B.1
Interestingly Norton had already detected and deleted a couple of these files but didn't detect any of the others. I had to boot from a Windows UltimateBootCD, download new dats for avpersonal and then run a scan. The Avpersonal only took 30 minutes to run, the Trendmicro one has been going for about an hour and is still going. Its a good job I don't charge by the hour.
Microsoft released a new version of their Windows AntiSpyware (Beta) for download. What is weird is that the existing beta software had an update routine in it, but when you ran it, it did not detect a new version. Apparently the changes are to do with extra real time protection agents, new threat categories and improved stability and performance (although I never had any performance problems with it).
Its a good job that noone in our office has run the antispyware beta apart from me as when I ran it on my machine it detected 10 spyware applications - most of them as false positives. The scariest thing is that it detects our vpn software as timbuktu pro. Now if our users decided to delete it.......
I could have done with Portable Firefox on Sunday when round a friends house and got the "while you are here" request. Turns out that they can connect to the internet, receive and send emails ok but the web browser wouldn't work. After running a quick check for proxy settings etc it was obvious that some sort of internal dns to the browser wasn't working. A quick look in the installed programs and they had messenger plus installed. One uninstall and a reboot later, and the machine was functioning as intended. (Note to the messenger plus defenders - Yes they should have read the "optional" requirements - No you can't expect a 9 year old to understand the implications of installing adware "sponsered" software. To the messenger plus attackers, yes the software is actually pretty good - not essential and yes you can read the instructions.....sometimes)
Now the browser was fixed I was able to download an run adaware and fix the 130+ files it found. Hopefully a portable firefox on usb key will help to have a clean, uninfected browser (or there is Offbyone browserinstead that would do the same thing.
Had a nice citibank email this morning warning me that I needed to log in and check my security details. Amazing - just how did they know that I was using citibank to hoard my millions earnt from those poor dead people in nigeria who I didn't even know I was related to?
It looks very authentic and works by including a reference to the real website, so as you hover over the mail it the destination shows the real link address. However, they've made the email an imagemap and its the imagemap that links to some obfuscated url which ultimately links through to http://211.97.248.60/cit/index.htm This is a VERY slow loading server in china somewhere but they have taken down the affected webpages
The new batch of critical updates came out overnight and there is one for Windows XP that enables you to install ServicePack2 if you also have the adware TV Media (TvMedia.tvmbho) software on your machine (otherwise it can repeatedly bluescreen). I think its interesting that Microsoft have labelled some software as adware and have taken the unusual step of providing a removal tool for it. It will be interesting to see whether they get into the spyware removal business and whether there are going to be more spyware programs that actually break the os (as opposed to just run hidden within it)
Silent Runners - CWS Removal Procedure - Use at your own risk! A very useful script that I'm sure will come in handy. Just reading the description of why you need this procedure is enough to make the friendly techy pale at the thought of having to run all these tools on all their friends pc's....
Thanks to Mike for blogging about this
Spyware Blaster 3 has been released with new updates to download. Although I don't use it, there are those who read this blog who do.
I installed the CA Antivirus firewall on the parents-in-law computer. The firewall is almost identical to zonealarm. I've not used zonealarm for several months/years now so I can't tell if it is the same as the newer versions, but all the popup dialog boxes and the traffic meters in the taskbar are practically identical. The Antivirus is different and also includes spyware and popup blockers so it will be interesting to see how good they are - i'm sure I'll have plenty of practise as I've already removed lop from the computer twice, amongst many other spyware infections on it. I've also installed SpywareGuard which aims to stop the driveby installations (and i've also installed firebird for my own surfing)
Had a major problem with a spyware infection yesterday. User told me that their pc was incredibly slow and Search&Destroy would not fire up. S&D was actually running minimised but it was not possible to restore or maximise it. Turns out that the pc was actually running slowly due to the machine trying to constantly access a faulty cd! I ran hijack this as the user had a toolbar named "lslyfqudprl" and homepage was set to mysearchnow. That found the toolbar and an autorun app called dseeglpr.exe -quiet in the registry (which I had already spotted by hand to start with!). I cleaned this and then ran adaware and it found IGetNet and Lop.com. These were cleaned and then the system ran with Search&Destroy which found another 5 objects, although these were pictures from lop. A slow scan of the computer with AntiVirus software (why oh why do these not detect lop.com components as virus's or malicious software?) and the user eventually got his pc back a couple of hours later.
Yesterdays SpywareInfo list had some interesting stories about the latest happenings in the spyware world, including the RIAA's filing of hundreds of subpoena's against users of p2p programs, Morpheus's response is to help users become more anonymous, a scary story of employee's of some companies that provide internet access installing keylogging software to obtain bank details from users, Kazaa's latest version now fiddles with your hosts file or won't load if you stop it (but the newsletter details a workaround) and a couple of other stories......
As to kazaa, another option would be to have a dummy hosts file which contains the valid entries, start kazaa and then immediately move the original antiadvert hosts file back again. This could possibly allow kazaa to get some address's and there is also the possibility of caching of this information whilst kazaa is running. Also Kazaa might check whilst it is running that the hosts file has not been tampered with again. The best solution is to have a proper firewall such as Agnitum's Outpost that allows you to block outgoing traffic to certain address's so that you can stop the kazaa program contacting their ad providing servers, so it doesn't matter what is in your hosts file! Speaking of Outpost, they have now released version 2 which is apparently all singing all dancing and much improved (which is pretty tough as the first version was excellent!). Unfortunately its not a free download - you have to pay for version 2, there is a trial version available though. I'll probably take a look and see how good it is and might even buy it for home!
A student at Harvard has published his study of how Gator works., the software that claims to auto-fill in forms for you but actually targets pop up ads on your pc.
I did a bit of research on the spywareinfo forums this morning which led me to the msgplus.net article that claims that the advertising software is an optional install and can be skipped by not selecting the appropriate box on install. However, they also claim that uninstalling MSNPlus also goes through the uninstall routine for the ad software.. We all know that lop is extremely difficult to get rid of and certainly is not uninstalled by uninstalling it... Therefore mine, and Neils recommendation is not to install MSNPlus.
Ages ago Neil recommended a download of Messenger plus which added loads of neat features to MSN Messenger. The latest version has apparently been bundled with some spyware in the form of a LOP client. More details available on the online version of spywareinfo.net. I would therefore strongly recommend against downloading the newest versions of this software, although the old ones are probably still safe.
